are you also stripping *.zip attachments. the only mydoom e-mails i recieved were the ones packaged as zip files. the
rest were wither stripped or blocked by a dnsbl or my spam killer.
-----Original Message-----
From: Brian Guy [mailto:brian () sambizsys com]
Sent: Sat 2/7/2004 12:03 AM
To: 'securityfocus'; jhaith () genesissys com
Cc:
Subject: Re: File Catching Firewall?
We managed to not get a single MyDoom e-mail with the config below.
This approach blocks about 95% of our spam overall.
1. Postfix 2.0 does initial blocks for obvious spam (e.g., DNS
blacklists for open relays, spoofing our IP in HELO, etc.). See
O'Reilly book on Postfix 2.0 for more info.
2. Advosys Mail Filter filters out dangerous attachments, as defined by
you. You decide what file extensions can come through, what gets
blocked. We block all executable and script extenstions, but we allow
PDF and a few others.
3. SpamAssassin does content based filtering and some additional DNS
blacklist lookups that we didn't want to block at the MTA level (due to
risk of false positives). We significantly raised the scores assigned
to some of the DNS blacklists so that the messages will get tagged as
spam, but they don't immediately bounce as do the DNS blacklist checks
we do at the MTA level.
I never saw any MyDoom messages with the attachment stripped by Advosys,
so all of our MyDoom mail apparently got stopped by Postfix. I'm still
in shock that none got through.
Regardless of whether you do the Postfix filtering, Advosys should do
what you're wanting. Just search for it on Google and you should find
the source code (it's just a Perl script if I remember correctly).
Good luck!
>-----Original Message-----
>From: Jason Haith [mailto:jhaith () genesissys com]
>Sent: 3. februar 2004 22:08
>To: securityfocus
>Subject: File Catching Firewall?
>
>Was asked to look into maybe putting in a Linux box in front of our mail
>server to stop the massive amounts of email attachments we have been
>receiving as of late due to 'MyDoom'. We currently have a WG FireBoxII and
>software on our Mail Server that is supposed to be catching everything, but
>with so much coming in it's missing alot. I was wondering if anyone had any
>ideas on some type of solution for this, all input is greatly appreciated.
>Thank you.
>
>Jason Haith
>Genesis Systems
>
>
>---------------------------------------------------------------------------
>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
>course! All of our class sizes are guaranteed to be 10 students or less.
>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
>and many other technical hands on courses.
>Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
>any course!
>----------------------------------------------------------------------------
>
>
>
>
>
>---------------------------------------------------------------------------
>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
>course! All of our class sizes are guaranteed to be 10 students or less.
>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
>and many other technical hands on courses.
>Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
>any course!
>----------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
Intro
